ci: add write permissions for issue monster agent assignment

[Copilot]

The assign_to_agent safe-outputs tool fails with "Resource not accessible by personal access token" because the replaceActorsForAssignable GraphQL mutation requires four write permissions, but the workflow only had read access for actions and contents.

• Added actions: write and upgraded contents: read → contents: write on the agent, conclusion, and safe_outputs jobs in the lock file
• Updated issue-monster.md source permissions to match

Original prompt

what's wrong with issue monster workflow?

Run actions/github-script@ed59741
Agent output content length: 1178
Found 1 assign_to_agent item(s)
Default agent: copilot
Target configuration: triggering
Max count: 1
Looking for copilot coding agent...
Found copilot coding agent (ID: BOT_kgDOC9w8XQ)
Getting issue details...
issue ID: I_kwDOQD9K4M7oC8E9
Assigning copilot coding agent to issue #496...
Using built-in github object for mutation
Error: Raw GraphQL error details (for troubleshooting):
Error: {
Error: "errors": [
Error: {
Error: "type": "FORBIDDEN",
Error: "path": [
Error: "replaceActorsForAssignable"
Error: ],
Error: "extensions": {
Error: "saml_failure": false
Error: },
Error: "locations": [
Error: {
Error: "line": 3,
Error: "column": 7
Error: }
Error: ],
Error: "message": "Resource not accessible by personal access token"
Error: }
Error: ],
Error: "response": {
Error: "data": {
Error: "replaceActorsForAssignable": null
Error: },
Error: "errors": [
Error: {
Error: "type": "FORBIDDEN",
Error: "path": [
Error: "replaceActorsForAssignable"
Error: ],
Error: "extensions": {
Error: "saml_failure": false
Error: },
Error: "locations": [
Error: {
Error: "line": 3,
Error: "column": 7
Error: }
Error: ],
Error: "message": "Resource not accessible by personal access token"
Error: }
Error: ]
Error: },
Error: "data": {
Error: "replaceActorsForAssignable": null
Error: },
Error: "compactMessages": [
Error: "Resource not accessible by personal access token"
Error: ]
Error: }
Primary mutation replaceActorsForAssignable forbidden. Attempting fallback addAssigneesToAssignable...
Using built-in github object for fallback mutation
Error: Fallback addAssigneesToAssignable failed: Request failed due to following response errors:

• Resource not accessible by personal access token
  Error: Failed to assign copilot: Insufficient permissions
  Error: Assigning Copilot agents requires:
  Error: 1. All four workflow permissions:
  Error: - actions: write
  Error: - contents: write
  Error: - issues: write
  Error: - pull-requests: write
  Error: 2. A classic PAT with 'repo' scope OR fine-grained PAT with explicit Write permissions above:
  Error: (Fine-grained PATs must grant repository access + write for Issues, Pull requests, Contents, Actions)
  Error: 3. Repository settings:
  Error: - Actions must have write permissions
  Error: - Go to: Settings > Actions > General > Workflow permissions
  Error: - Select: 'Read and write permissions'
  Error: 4. Organization/Enterprise settings:
  Error: - Check if your org restricts bot assignments
  Error: - Verify Copilot is enabled for your repository
  For more information, see: https://docs.github.com/en/copilot/how-tos/use-copilot-agents/coding-agent/create-a-pr
  Error: Failed to assign agent "copilot" to issue Document flag validation constraints #496: Failed to assign copilot via GraphQL
  Error: Failed to assign 1 agent(s)

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

[github-actions]

🎬 THE END — Smoke Claude MISSION: ACCOMPLISHED! The hero saves the day! ✨

[github-actions]

📰 VERDICT: Smoke Copilot has concluded. All systems operational. This is a developing story. 🎤

[github-actions]

✅ Coverage Check Passed

Overall Coverage

Metric	Base	PR	Delta
Lines	82.12%	82.12%	➡️ +0.00%
Statements	82.16%	82.16%	➡️ +0.00%
Functions	81.95%	81.95%	➡️ +0.00%
Branches	75.48%	75.48%	➡️ +0.00%

---

Coverage comparison generated by scripts/ci/compare-coverage.ts

[Copilot]

Pull request overview

This PR fixes a permission issue preventing the assign_to_agent tool from functioning in the Issue Monster workflow. The tool was failing with "Resource not accessible by personal access token" because the replaceActorsForAssignable GraphQL mutation requires four specific write permissions.

Changes:

• Updated workflow permissions from read-only to write access for actions and contents
• All four required permissions (actions, contents, issues, pull-requests) now have write access
• Changes applied consistently to both the source .md file and compiled .lock.yml file

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File	Description
.github/workflows/issue-monster.md	Updated top-level permissions to grant write access for actions, contents, issues, and pull-requests
.github/workflows/issue-monster.lock.yml	Applied permission updates to three jobs (agent, conclusion, safe_outputs) that require access to the assign_to_agent functionality

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[github-actions]

Claude Smoke Test Results

Last 2 merged PRs:

• docs: add greeting response for test issue #538: docs: add greeting response for test issue
• fix: restore HTTPS_PROXY and fix smoke-chroot checkout #530: fix: restore HTTPS_PROXY and fix smoke-chroot checkout

Test Results:

• ✅ GitHub MCP (PR retrieval)
• ✅ Playwright (navigated to github.com, title verified)
• ✅ File writing (/tmp/gh-aw/agent/smoke-test-claude-21732111974.txt)
• ✅ Bash tool (verified file contents)

Status: PASS

AI generated by Smoke Claude